-
Notifications
You must be signed in to change notification settings - Fork 4
/
pauditd.yaml.example
168 lines (146 loc) · 6.54 KB
/
pauditd.yaml.example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# Configure socket buffers, leave unset to use the system defaults
# Values will be doubled by the kernel
# It is recommended you do not set any of these values unless you really need to
socket_buffer:
# Default is net.core.rmem_default (/proc/sys/net/core/rmem_default)
# Maximum max is net.core.rmem_max (/proc/sys/net/core/rmem_max)
receive: 16384
events:
# Minimum event type to capture, default 1300
min: 1300
# Maximum event type to capture, default 1399
max: 1399
# Configure message sequence tracking
message_tracking:
# Track messages and identify if we missed any, default true
enabled: true
# Log out of orderness, these messages typically signify an overloading system, default false
log_out_of_order: false
# Maximum out of orderness before a missed sequence is presumed dropped, default 500
max_out_of_order: 500
# Configure where to output audit events
# Only 1 output can be active at a given time
output:
# Writes to stdout
# All program status logging will be moved to stderr
stdout:
enabled: true
# Total number of attempts to write a line before considering giving up
# If a write fails pauditd will sleep for 1 second before retrying
# Default is 3
attempts: 2
# Writes to a http service
http:
enabled: false
attempts: 2
# The URL to send the POST request for each message
url: https://service-url/service
# Number of blocking workers that process messages going out to HTTP
# Default is 10 workers
worker_count: 10
# Sets the size of the http writer buffer which feeds the workers, if the buffer
# is full then you will messages dropped on the http_writer.Write([]byte) int
# method
# Default is 100 messages
buffer_size: 1000
# allows you to set an optional trace id header for the http requests
# default is none and disabled
trace_header_name: X-TRACE-ID
# body transformers can be written in golang to take the message and convert it
# into the http request body required for the service the request is being sent
# to (default is noop transformer)
response_body_transformer: noop
# debug sends audit logs to both stdout and http writer for debugging purposes
# also all systems are more verbose in this mode with configuration and other
# settings (default false)
debug: false
# http writer circuit breaker failure ratio for outgoing requests
breaker_failure_ratio: 0.05
# if the service that http writer is sending to requires ssl it can be
# configured and enabled here (default enabled false)
ssl:
enabled: true
client_cert: /etc/certs/mycert.crt
client_key: /etc/certs/mykey.key
ca_cert: /etc/certs/my_ca.crt
# Writes logs to syslog
syslog:
enabled: false
attempts: 5
# Configure the type of socket this should be, default is unixgram
# This maps to `network` in golangs net.Dial: https://golang.org/pkg/net/#Dial
network: unixgram
# Set the remote address to connect to, this can be a path or an ip address
# This maps to `address` in golangs net.Dial: https://golang.org/pkg/net/#Dial
address: /dev/log
# Sets the facility and severity for all events. See the table below for help
# The default is 132 which maps to local0 | warn
priority: 129 # local0 | emerg
# Typically the name of the program generating the message. The PID is of the process is appended for you: [1233]
# Default value is "pauditd"
tag: "audit-thing"
# Appends logs to a file
file:
enabled: false
attempts: 2
# Path of the file to write lines to
# The actual file will be created if it is missing but make sure the parent directory exists
path: /var/log/pauditd/pauditd.log
# Octal file mode for the log file, make sure to always have a leading 0
mode: 0600
# User and group that should own the log file
user: root
group: root
# Configure logging, only stdout and stderr are used.
log:
# Gives you a bit of control over log line prefixes. Default is 0 - nothing.
# To get the `filename:lineno` you would set this to 16
#
# Ldate = 1 // the date in the local time zone: 2009/01/23
# Ltime = 2 // the time in the local time zone: 01:23:23
# Lmicroseconds = 4 // microsecond resolution: 01:23:23.123123. assumes Ltime.
# Llongfile = 8 // full file name and line number: /a/b/c/d.go:23
# Lshortfile = 16 // final file name element and line number: d.go:23. overrides Llongfile
# LUTC = 32 // if Ldate or Ltime is set, use UTC rather than the local time zone
#
# See also: https://golang.org/pkg/log/#pkg-constants
flags: 0
// This allows for configuration of specific options
// related to the notification-service-tranformer.
notification-service-transformer:
// enables extra attributes to be added to the message
// sent to the notification service
extra_attributes:
ip_address: 192.168.0.5
# metrics configuration currently only supports statsd
metrics:
# if metrics are disabled then they are not sent
enabled: true
# address for statsd server to send metrics to
address: metrics.somecompany.com:8125
# sample rate to reduce statistics being kept
sample_rate: 0.5
rules:
# Watch all 64 bit program executions
- -a exit,always -F arch=b64 -S execve
# Watch all 32 bit program executions
- -a exit,always -F arch=b32 -S execve
# you can set a rule key with the -k option which will allow filtering on the messages
# from this specific rule
- -w /etc/passwd -p w -k passwd-write-log
# Enable kernel auditing (required if not done via the "audit" kernel boot parameter)
# You can also use this to lock the rules. Locking requires a reboot to modify the ruleset.
# This should be the last rule in the chain.
- -e 1
# If kaudit filtering isn't powerful enough you can use the following filter mechanism
# There are two kinds of filters:
# - Syscall/MessageType filters
# - RuleKey filters
# Order matters for rule ordering within a specific syscall/message_type or a rule key
filters:
- syscall: 49 # The syscall id of the message group (a single log line from pauditd), to test against the regex
message_type: 1306 # The message type identifier containing the data to test against the regex
regex: saddr=(10..|0A..) # The regex to test against the message specific message types data
- key: passwd-write-log # the rule key for the messages to filter (-k on audit rule)
action: drop # action to take when the rule matches, this defaults to drop (drop or keep)
regex: "uid_map":{"0":"root"} # The regex to test against the message specific message types data